You should set the following attributes related to cookies:
- httpOnlyCookies – adds a httpOnly flag to cookies and makes it impossible to read cookies from the client. This serves as a protection against XSS (for example prevents attackers from reading the session ID from cookies or the forms authentication ticket from the authentication cookie).
- requireSSL – sets that the cookies require SSL connection, which prevents communication eavesdropping.
To protect the sessions against attacks, you should set the following attributes in the sessionState element:
- mode – specifies where to store session state values.
- cookieless – specifies how cookies are used for a Web application.
- timeout – specifies the number of minutes a session can be idle before it is abandoned.
See page sessionState Element (ASP.NET Settings Schema) for reference.
Error messages and disabling the debug and trace
You should unify handling of all types of errors and exceptions in your application by adding the <httpErrors> element into the <system.webServer> section of your web.config file. See Creating custom error handling pages for more information.in
Before deploying your website to the live environment, you should also disable debugging and tracing in the web.config file, as this information should not be revealed to the users.
You can disable debugging in your application by including this code in the <system.web> section:
You can disable tracing in your application by including this code in the <microsoft.web.services3> section of your web.config file:
Note that you can also configure tracing for web pages individually using the Trace attribute in the @ Page directive at the top of your .aspx files.
Request validation is a mechanism, which ensures that the ASP.NET application does not process potentially dangerous requests (possible XSS attacks). In Kentico, the request validation is disabled by default, because some parts of the system (for example, the WYSIWYG editor) send such requests, that would be suspicious to the validator. However, you can change this setting individually and enable request validation only for chosen live pages in the @ Page directive:
View state validation
In Kentico, the view state validation is encoded using the machine key and also a private user key. You can disable the user key encoding using the CMSUseViewStateUserKey key (but we do not recommend it).
You can enable view state validation globally in the web.config file:
You can find more information about the view state validation in the Cross site request forgery (CSRF/XSRF) topic.
It is also possible to encrypt the view state to further increase its protection. See Encrypt ViewState in ASP.NET 2.0 for more information.
Encrypting individual sections of the web.config file
You can encrypt chosen sections of the web.config file, which can prevent attackers from obtaining sensitive information (passwords, connection string, etc.) if they manage to get hold of the file. Encrypting can be done using:
- DPAPI – this tool provides better security, but is not suitable for web farms. See How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI.
- RSA – this tool is suitable for securing the web.config files on web farms. See How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA.
Encoding is supported natively by ASP.NET, so the web application does not have to provide any additional support.